Microsoft RDP Remote Code Execution Vulnerability (CVE 2019-0708)

As part of their May 2019 regular Patch Tuesday, Microsoft has publicly announced a critical vulnerability (CVE-2019-0708) in their Remote Desktop Services (aka Terminal Services) on older Windows platforms (including 2003, XP, Windows 7, Server 2008 R2, and Server 2008). They also took the unusual step of releasing patches for a large number of operating system versions (including some out of regular support). Microsoft’s announcement, and guidance, is here:

Network Box Security Response became aware of this, through our security partnerships, some weeks ago. Very few details were known, except that there was going to be a major problem with RDS in the coming few weeks. At that time, in co-operation with our regional Security Operation Centers, we conducted a thorough review of all devices under management to identify and document those with RDS potentially open to the Internet.

This vulnerability does not affect Network Box devices, but could affect Microsoft servers with RDS enabled. Of particular concern is those devices with RDS ports open to the general Internet, but the vulnerability could also be exploited locally.

At present, there are no known exploits of this vulnerability. However, given the nature of the vulnerability and high value of the targets, it is likely that such exploits will become a problem within the next few days/weeks. This is likely able to be ‘wormable’ – resulting in malware that can infect a host and then spread to others across the network.

It is our general security recommendation, and simply good practice, that administrative services such as RDS not be directly open to the Internet, and be locked down to either specific source IP addresses or VPN connections.

At this stage, this is the best advice, and we recommend:

If you have RDS ports (by default tcp/3389) open to the Internet, we recommend that you immediately close those down.

If you have RDS ports open to the LAN/DMZ, for administrative purposes, we recommend that you immediately close those down as well.

We recommend you either close the ports entirely, or restrict access to specifically identified administrative source IP addresses or VPN connections.

If you have no requirement for RDS services, you should disable them completely on your servers

Network Box can assist with this, and we will be contacting customers we have identified to have tcp/3389 open to the Internet directly.

Microsoft has released patches for this, and these should be applied as a matter of urgency.

As there are no known exploits of this, no protection has been adequately tested.

While all security vendors are urgently trying to release effective protection signatures (Network Box Security Response included), the best approach is to (a) patch, and (b) close down RDS tcp/3389, or the entire service, as per standard recommendations for administrative access services. The closure of port tcp/3389 should at least be until patches have been applied (but preferably permanently, as good general security practice).